Create signed Windows binaries
What does this MR do?
This MR takes care of signing the Windows binaries: gitlab-runner-helper.x86_64-windows.exe
, gitlab-runner-windows-amd64.exe
and gitlab-runner-windows-386.exe
.
Why was this MR needed?
See #2483. Basically this is necessary to mitigate a possible attack vector where it is currently easy to tamper with/replace our Windows executables without the user's knowledge.
Are there points in the code the reviewer needs to double check?
The current state is using a self-signed certificate, and a local env variable containing the certificate export password. We'll need to replace the files referenced by WINDOWS_CODE_SIGN_KEY_PATH
/WINDOWS_CODE_SIGN_CERT_PATH
and move WINDOWS_CODE_SIGN_PASSWORD
to the CI environment variables.
This MR creates a new CI build image tag in order to pre-install the osslsigncode
tool.
NOTE: I guess we could refactor the new jobs to extend binaries windows/386 windows/amd64
and helper images
and moving the signing script to after_script
, instead of using needs
. However this might make it easier to break the job by tightly coupling the two. WDYT?
Does this MR meet the acceptance criteria?
-
Documentation created/updated -
Added tests for this feature/bug -
In case of conflicts with master
- branch was rebased